import dnf-4.7.0-3.el8
This commit is contained in:
parent
80bdcdb727
commit
2b5805ed4f
56
SOURCES/0003-Pass-the-package-to-rpmkeys-stdin.patch
Normal file
56
SOURCES/0003-Pass-the-package-to-rpmkeys-stdin.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
From 134b095b0833956cadfc02a9a1e7ca1344cd5aaa Mon Sep 17 00:00:00 2001
|
||||||
|
From: Demi Marie Obenour <demi@invisiblethingslab.com>
|
||||||
|
Date: Tue, 27 Apr 2021 21:07:19 -0400
|
||||||
|
Subject: [PATCH] Pass the package to rpmkeys stdin
|
||||||
|
|
||||||
|
This avoids having to compute the expected stdout value, which will
|
||||||
|
always be the constant "-: digests signatures OK\n".
|
||||||
|
---
|
||||||
|
dnf/rpm/miscutils.py | 10 ++++++----
|
||||||
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
|
||||||
|
index 7e33d4c..5f2621c 100644
|
||||||
|
--- a/dnf/rpm/miscutils.py
|
||||||
|
+++ b/dnf/rpm/miscutils.py
|
||||||
|
@@ -29,7 +29,8 @@ from shutil import which
|
||||||
|
logger = logging.getLogger('dnf')
|
||||||
|
|
||||||
|
|
||||||
|
-def _verifyPkgUsingRpmkeys(package, installroot):
|
||||||
|
+def _verifyPkgUsingRpmkeys(package, installroot, fdno):
|
||||||
|
+ os.lseek(fdno, 0, os.SEEK_SET)
|
||||||
|
rpmkeys_binary = '/usr/bin/rpmkeys'
|
||||||
|
if not os.path.isfile(rpmkeys_binary):
|
||||||
|
rpmkeys_binary = which("rpmkeys")
|
||||||
|
@@ -40,15 +41,16 @@ def _verifyPkgUsingRpmkeys(package, installroot):
|
||||||
|
logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
|
||||||
|
return 0
|
||||||
|
|
||||||
|
- args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '--', package)
|
||||||
|
+ args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '-')
|
||||||
|
with subprocess.Popen(
|
||||||
|
args=args,
|
||||||
|
executable=rpmkeys_binary,
|
||||||
|
env={'LC_ALL': 'C'},
|
||||||
|
+ stdin=fdno,
|
||||||
|
stdout=subprocess.PIPE,
|
||||||
|
cwd='/') as p:
|
||||||
|
data, err = p.communicate()
|
||||||
|
- if p.returncode != 0 or data != (package.encode('ascii', 'strict') + b': digests signatures OK\n'):
|
||||||
|
+ if p.returncode != 0 or data != b'-: digests signatures OK\n':
|
||||||
|
return 0
|
||||||
|
else:
|
||||||
|
return 1
|
||||||
|
@@ -85,7 +87,7 @@ def checkSig(ts, package):
|
||||||
|
|
||||||
|
if siginfo == '(none)':
|
||||||
|
value = 4
|
||||||
|
- elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir):
|
||||||
|
+ elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir, fdno):
|
||||||
|
value = 0
|
||||||
|
else:
|
||||||
|
raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo)
|
||||||
|
--
|
||||||
|
libgit2 1.0.1
|
||||||
|
|
176
SOURCES/0004-Use-rpmkeys-alone-to-verify-signature.patch
Normal file
176
SOURCES/0004-Use-rpmkeys-alone-to-verify-signature.patch
Normal file
@ -0,0 +1,176 @@
|
|||||||
|
From a21880fbac479968546304beeeae3ed3bb899373 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Demi Marie Obenour <demi@invisiblethingslab.com>
|
||||||
|
Date: Fri, 9 Apr 2021 13:03:03 -0400
|
||||||
|
Subject: [PATCH] Use rpmkeys alone to verify signature
|
||||||
|
|
||||||
|
This avoids having to actually parse the package to check its signature,
|
||||||
|
which reduces attack surface. If the output of rpmkeys cannot be
|
||||||
|
parsed, we assume the package is corrupt (the most likely cause).
|
||||||
|
---
|
||||||
|
dnf/rpm/miscutils.py | 126 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------------------------------------------
|
||||||
|
1 file changed, 66 insertions(+), 60 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
|
||||||
|
index 5f2621c..9d5b286 100644
|
||||||
|
--- a/dnf/rpm/miscutils.py
|
||||||
|
+++ b/dnf/rpm/miscutils.py
|
||||||
|
@@ -13,90 +13,96 @@
|
||||||
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
# Copyright 2003 Duke University
|
||||||
|
|
||||||
|
-from __future__ import print_function, absolute_import
|
||||||
|
-from __future__ import unicode_literals
|
||||||
|
+from __future__ import print_function, absolute_import, unicode_literals
|
||||||
|
|
||||||
|
-import rpm
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
|
import logging
|
||||||
|
-
|
||||||
|
-from dnf.i18n import ucd
|
||||||
|
-from dnf.i18n import _
|
||||||
|
from shutil import which
|
||||||
|
|
||||||
|
+from dnf.i18n import _
|
||||||
|
|
||||||
|
-logger = logging.getLogger('dnf')
|
||||||
|
+_logger = logging.getLogger('dnf')
|
||||||
|
+_rpmkeys_binary = None
|
||||||
|
|
||||||
|
+def _find_rpmkeys_binary():
|
||||||
|
+ global _rpmkeys_binary
|
||||||
|
+ if _rpmkeys_binary is None:
|
||||||
|
+ _rpmkeys_binary = which("rpmkeys")
|
||||||
|
+ _logger.debug(_('Using rpmkeys executable at %s to verify signatures'),
|
||||||
|
+ _rpmkeys_binary)
|
||||||
|
+ return _rpmkeys_binary
|
||||||
|
|
||||||
|
-def _verifyPkgUsingRpmkeys(package, installroot, fdno):
|
||||||
|
- os.lseek(fdno, 0, os.SEEK_SET)
|
||||||
|
- rpmkeys_binary = '/usr/bin/rpmkeys'
|
||||||
|
- if not os.path.isfile(rpmkeys_binary):
|
||||||
|
- rpmkeys_binary = which("rpmkeys")
|
||||||
|
- logger.info(_('Using rpmkeys executable from {path} to verify signature for package: {package}.').format(
|
||||||
|
- path=rpmkeys_binary, package=package))
|
||||||
|
+def _process_rpm_output(data):
|
||||||
|
+ # No signatures or digests = corrupt package.
|
||||||
|
+ # There is at least one line for -: and another (empty) entry after the
|
||||||
|
+ # last newline.
|
||||||
|
+ if len(data) < 3 or data[0] != b'-:' or data[-1]:
|
||||||
|
+ return 2
|
||||||
|
+ seen_sig, missing_key, not_trusted, not_signed = False, False, False, False
|
||||||
|
+ for i in data[1:-1]:
|
||||||
|
+ if b': BAD' in i:
|
||||||
|
+ return 2
|
||||||
|
+ elif i.endswith(b': NOKEY'):
|
||||||
|
+ missing_key = True
|
||||||
|
+ elif i.endswith(b': NOTTRUSTED'):
|
||||||
|
+ not_trusted = True
|
||||||
|
+ elif i.endswith(b': NOTFOUND'):
|
||||||
|
+ not_signed = True
|
||||||
|
+ elif not i.endswith(b': OK'):
|
||||||
|
+ return 2
|
||||||
|
+ if not_trusted:
|
||||||
|
+ return 3
|
||||||
|
+ elif missing_key:
|
||||||
|
+ return 1
|
||||||
|
+ elif not_signed:
|
||||||
|
+ return 4
|
||||||
|
+ # we still check return code, so this is safe
|
||||||
|
+ return 0
|
||||||
|
|
||||||
|
- if not os.path.isfile(rpmkeys_binary):
|
||||||
|
- logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
|
||||||
|
- return 0
|
||||||
|
+def _verifyPackageUsingRpmkeys(package, installroot):
|
||||||
|
+ rpmkeys_binary = _find_rpmkeys_binary()
|
||||||
|
+ if rpmkeys_binary is None or not os.path.isfile(rpmkeys_binary):
|
||||||
|
+ _logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
|
||||||
|
+ return 2
|
||||||
|
|
||||||
|
- args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '-')
|
||||||
|
+ # "--define=_pkgverify_level all" enforces signature checking;
|
||||||
|
+ # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
|
||||||
|
+ # are checked.
|
||||||
|
+ args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
|
||||||
|
+ '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
|
||||||
|
+ '-')
|
||||||
|
with subprocess.Popen(
|
||||||
|
args=args,
|
||||||
|
executable=rpmkeys_binary,
|
||||||
|
env={'LC_ALL': 'C'},
|
||||||
|
- stdin=fdno,
|
||||||
|
stdout=subprocess.PIPE,
|
||||||
|
- cwd='/') as p:
|
||||||
|
- data, err = p.communicate()
|
||||||
|
- if p.returncode != 0 or data != b'-: digests signatures OK\n':
|
||||||
|
- return 0
|
||||||
|
- else:
|
||||||
|
- return 1
|
||||||
|
+ cwd='/',
|
||||||
|
+ stdin=package) as p:
|
||||||
|
+ data = p.communicate()[0]
|
||||||
|
+ returncode = p.returncode
|
||||||
|
+ if type(returncode) is not int:
|
||||||
|
+ raise AssertionError('Popen set return code to non-int')
|
||||||
|
+ # rpmkeys can return something other than 0 or 1 in the case of a
|
||||||
|
+ # fatal error (OOM, abort() called, SIGSEGV, etc)
|
||||||
|
+ if returncode >= 2 or returncode < 0:
|
||||||
|
+ return 2
|
||||||
|
+ ret = _process_rpm_output(data.split(b'\n'))
|
||||||
|
+ if ret:
|
||||||
|
+ return ret
|
||||||
|
+ return 2 if returncode else 0
|
||||||
|
|
||||||
|
def checkSig(ts, package):
|
||||||
|
"""Takes a transaction set and a package, check it's sigs,
|
||||||
|
return 0 if they are all fine
|
||||||
|
return 1 if the gpg key can't be found
|
||||||
|
return 2 if the header is in someway damaged
|
||||||
|
return 3 if the key is not trusted
|
||||||
|
return 4 if the pkg is not gpg or pgp signed"""
|
||||||
|
|
||||||
|
- value = 4
|
||||||
|
- currentflags = ts.setVSFlags(0)
|
||||||
|
- fdno = os.open(package, os.O_RDONLY)
|
||||||
|
+ fdno = os.open(package, os.O_RDONLY|os.O_NOCTTY|os.O_CLOEXEC)
|
||||||
|
try:
|
||||||
|
- hdr = ts.hdrFromFdno(fdno)
|
||||||
|
- except rpm.error as e:
|
||||||
|
- if str(e) == "public key not available":
|
||||||
|
- value = 1
|
||||||
|
- elif str(e) == "public key not trusted":
|
||||||
|
- value = 3
|
||||||
|
- elif str(e) == "error reading package header":
|
||||||
|
- value = 2
|
||||||
|
- else:
|
||||||
|
- raise ValueError('Unexpected error value %r from ts.hdrFromFdno when checking signature.' % str(e))
|
||||||
|
- else:
|
||||||
|
- # checks signature from an hdr
|
||||||
|
- string = '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:' \
|
||||||
|
- '{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|'
|
||||||
|
- try:
|
||||||
|
- siginfo = hdr.sprintf(string)
|
||||||
|
- siginfo = ucd(siginfo)
|
||||||
|
-
|
||||||
|
- if siginfo == '(none)':
|
||||||
|
- value = 4
|
||||||
|
- elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir, fdno):
|
||||||
|
- value = 0
|
||||||
|
- else:
|
||||||
|
- raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo)
|
||||||
|
- except UnicodeDecodeError:
|
||||||
|
- pass
|
||||||
|
-
|
||||||
|
- del hdr
|
||||||
|
-
|
||||||
|
- os.close(fdno)
|
||||||
|
-
|
||||||
|
- ts.setVSFlags(currentflags) # put things back like they were before
|
||||||
|
+ value = _verifyPackageUsingRpmkeys(fdno, ts.ts.rootDir)
|
||||||
|
+ finally:
|
||||||
|
+ os.close(fdno)
|
||||||
|
return value
|
||||||
|
--
|
||||||
|
libgit2 1.0.1
|
||||||
|
|
@ -0,0 +1,36 @@
|
|||||||
|
From b05f4589e4afb69240ae2001246a5ffb5d6b1b90 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aleš Matěj <amatej@redhat.com>
|
||||||
|
Date: Thu, 3 Jun 2021 11:23:31 +0200
|
||||||
|
Subject: [PATCH] Lower _pkgverify_level to signature for signature checking with rpmkeys
|
||||||
|
|
||||||
|
We don't want to be veryfing digests as well when checking signatures.
|
||||||
|
It would break legacy package installation in FIPS mode due to MD5
|
||||||
|
digest being unverifiable (see https://access.redhat.com/solutions/5221661)
|
||||||
|
|
||||||
|
Follow up for https://github.com/rpm-software-management/dnf/pull/1753
|
||||||
|
---
|
||||||
|
dnf/rpm/miscutils.py | 7 +++----
|
||||||
|
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
|
||||||
|
index 9d5b286..46ef475 100644
|
||||||
|
--- a/dnf/rpm/miscutils.py
|
||||||
|
+++ b/dnf/rpm/miscutils.py
|
||||||
|
@@ -66,11 +66,10 @@ def _verifyPackageUsingRpmkeys(package, installroot):
|
||||||
|
_logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
|
||||||
|
return 2
|
||||||
|
|
||||||
|
- # "--define=_pkgverify_level all" enforces signature checking;
|
||||||
|
- # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
|
||||||
|
- # are checked.
|
||||||
|
+ # "--define=_pkgverify_level signature" enforces signature checking;
|
||||||
|
+ # "--define=_pkgverify_flags 0x0" ensures that all signatures are checked.
|
||||||
|
args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
|
||||||
|
- '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
|
||||||
|
+ '--define=_pkgverify_level signature', '--define=_pkgverify_flags 0x0',
|
||||||
|
'-')
|
||||||
|
with subprocess.Popen(
|
||||||
|
args=args,
|
||||||
|
--
|
||||||
|
libgit2 1.0.1
|
||||||
|
|
@ -66,7 +66,7 @@ It supports RPMs, modules and comps groups & environments.
|
|||||||
|
|
||||||
Name: dnf
|
Name: dnf
|
||||||
Version: 4.7.0
|
Version: 4.7.0
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: %{pkg_summary}
|
Summary: %{pkg_summary}
|
||||||
# For a breakdown of the licensing, see PACKAGE-LICENSING
|
# For a breakdown of the licensing, see PACKAGE-LICENSING
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
@ -74,6 +74,9 @@ URL: https://github.com/rpm-software-management/dnf
|
|||||||
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
|
Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz
|
||||||
Patch1: 0001-Set-top-level-directory-for-unittest.patch
|
Patch1: 0001-Set-top-level-directory-for-unittest.patch
|
||||||
Patch2: 0002-dnfrpmmiscutilspy-fix-usage-of-_.patch
|
Patch2: 0002-dnfrpmmiscutilspy-fix-usage-of-_.patch
|
||||||
|
Patch3: 0003-Pass-the-package-to-rpmkeys-stdin.patch
|
||||||
|
Patch4: 0004-Use-rpmkeys-alone-to-verify-signature.patch
|
||||||
|
Patch5: 0005-Lower-_pkgverify_level-to-signature-for-signature-checking-with-rpmkeys.patch
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
@ -373,6 +376,9 @@ popd
|
|||||||
%{python3_sitelib}/%{name}/automatic/
|
%{python3_sitelib}/%{name}/automatic/
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Aug 16 2021 Pavla Kratochvilova <pkratoch@redhat.com> - 4.7.0-3
|
||||||
|
- Improve signature checking using rpmkeys (RhBug:1967454)
|
||||||
|
|
||||||
* Tue Jul 27 2021 Pavla Kratochvilova <pkratoch@redhat.com> - 4.7.0-2
|
* Tue Jul 27 2021 Pavla Kratochvilova <pkratoch@redhat.com> - 4.7.0-2
|
||||||
- Fix covscan issue: dnf/rpm/miscutils.py: fix usage of _()
|
- Fix covscan issue: dnf/rpm/miscutils.py: fix usage of _()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user